plugs: add CSPPlug

lib/pleroma/plugs/csp_plug.ex

@@ -0,0 +1,38 @@
+defmodule Pleroma.Plugs.CSPPlug do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, options) do
+    conn = merge_resp_headers(conn, headers())
+  end
+
+  defp headers do
+    [
+      {"x-xss-protection", "1; mode=block"},
+      {"x-permitted-cross-domain-policies", "none"},
+      {"x-frame-options", "DENY"},
+      {"x-content-type-options", "nosniff"},
+      {"referrer-policy", "same-origin"},
+      {"x-download-options", "noopen"},
+      {"content-security-policy", csp_string() <> ";"}
+    ]
+  end
+
+  defp csp_string do
+    [
+      "default-src 'none'",
+      "base-uri 'self'",
+      "form-action *",
+      "frame-ancestors 'none'",
+      "img-src 'self' data: https:",
+      "media-src 'self' https:",
+      "style-src 'self' 'unsafe-inline'",
+      "font-src 'self'",
+      "script-src 'self'",
+      "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
+      "upgrade-insecure-requests"
+    ]
+    |> Enum.join("; ")
+  end
+end

lib/pleroma/web/endpoint.ex

@@ -12,6 +12,7 @@ defmodule Pleroma.Web.Endpoint do
   # You should set gzip to true if you are running phoenix.digest
   # when deploying your static files in production.
   plug(CORSPlug)
+  plug(Pleroma.Plugs.CSPPlug)
 
   plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)